Is there a way to use Noscript and still maintain basic functionality of this forum, or are we pretty much screwed there? (I can't go to the next page of a thread without modifying the url, quick reply doesn't really work that well, and my forums is basically useless)
- Oct 30, 2000
- 42,589
- 5
- 0
White list forums.anandtech.com in Noscript. The XSS stuff still runs even on a white listed site, there are very few (3) exceptions, I believe.
SunnyD
Belgian Waffler
This. NoScript will allow scripts from the local site to run (meaning a potential script to point to something offsite will run) when the given site is on the whitelist. However, any ENTIRE malicious script would have to run directly from AnandTech (which you would have whitelisted) in order to actually execute. Any script coming from an arbitrary server off site would automatically be blacklisted on the page read.
Now mind you - it is entirely possibly to craft a script that would run directly off of the AnandTech server with this injection exploit, however its utility would be somewhat limited but still possibly dangerous.
Hello all, it's a bit overdue that I'm posting to this thread, but I was made aware of the issue last week and we took care of it to the best of our ability. The code injection was corrected last week and there is no further risk for that happening.
Security is of the utmost importance to me, and even though direct forum administration is not my job, I do take it upon myself to get involved when necessary to help address those issues.
On a side note, vB is quite close now. It would have already been done as the infrastructure is ready, but there are some other surprises that will be happening at the same time so it must be coordinated together. It is a very large project so once you see the results, I hope you will understand (some) of the delays.
Security is of the utmost importance to me, and even though direct forum administration is not my job, I do take it upon myself to get involved when necessary to help address those issues.
On a side note, vB is quite close now. It would have already been done as the infrastructure is ready, but there are some other surprises that will be happening at the same time so it must be coordinated together. It is a very large project so once you see the results, I hope you will understand (some) of the delays.
olds
Elite Member
- Mar 3, 2000
- 50,128
- 781
- 126
Originally posted by: Not my fault
Hello all, it's a bit overdue that I'm posting to this thread, but I was made aware of the issue last week and we took care of it to the best of our ability. The code injection was corrected last week and there is no further risk for that happening.
Security is of the utmost importance to me, and even though direct forum administration is not my job, I do take it upon myself to get involved when necessary to help address those issues.
On a side note, vB is quite close now. It would have already been done as the infrastructure is ready, but there are some other surprises that will be happening at the same time so it must be coordinated together. It is a very large project so once you see the results, I hope you will understand (some) of the delays.
Will you be changing your name to "The Buck Stops Here"?
SunnyD
Belgian Waffler
Originally posted by: Not my fault
Hello all, it's a bit overdue that I'm posting to this thread, but I was made aware of the issue last week and we took care of it to the best of our ability. The code injection was corrected last week and there is no further risk for that happening.
Security is of the utmost importance to me, and even though direct forum administration is not my job, I do take it upon myself to get involved when necessary to help address those issues.
On a side note, vB is quite close now. It would have already been done as the infrastructure is ready, but there are some other surprises that will be happening at the same time so it must be coordinated together. It is a very large project so once you see the results, I hope you will understand (some) of the delays.
I'm going to assume that you're doing some back end validation now, because the profile form hasn't changed any. Unfortunately, I'm not willing to be banned, so I'm going to "take your word for it" for the time being.
Platypus
Lifer
- Apr 26, 2001
- 31,046
- 321
- 136
A user changed his avatar again today in a thread so I doubt this is fixed at all. I also am not going to go messing around but FT is fundamentally a piece of shit and there's no helping it. I don't know who is using that moniker but to say security is of the utmost importance to you is kind of joke in my opinion.
There aren't enough bells and whistles in the world that make up for the ridiculous amount of time it has taken to get over to VB.
There aren't enough bells and whistles in the world that make up for the ridiculous amount of time it has taken to get over to VB.
So, by allowing "forums.anandtech.com" or "anandtech.com" in NoScript we're mostly safe but not entirely till this is fixed?
SunnyD
Belgian Waffler
I'm still trying to figure out how security could be of so much importance, yet little is being done to correct the issue.
My immediate action would be to port the database over to vB (which I'm sure is already possible, if not, what the fuck?). Then, and this concept might blow your mind, I would start to work on the additions that I think would make vB even more superior as a forum software (not being FuseTalk already makes it awesome).
I mean, seriously. Why not just move the basics over right now? I don't think anyone really gives a fuck about these new features, they'd rather just have the current ones, but actually functional. We want secure forums, because we all know what happened last time.
That was nearly three years ago. How much longer are you going to wait?
My immediate action would be to port the database over to vB (which I'm sure is already possible, if not, what the fuck?). Then, and this concept might blow your mind, I would start to work on the additions that I think would make vB even more superior as a forum software (not being FuseTalk already makes it awesome).
I mean, seriously. Why not just move the basics over right now? I don't think anyone really gives a fuck about these new features, they'd rather just have the current ones, but actually functional. We want secure forums, because we all know what happened last time.
That was nearly three years ago. How much longer are you going to wait?
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 24K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter